Perhaps a bit off topic. But since it is security related i might aswell ask it. What does the diverse exec-shield settings 3,11,9 mean? Default i have exec-shield =9, Setting it to 2 works too. kind regards, Peter On 7/22/06, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
On Fri, 2006-07-21 at 14:14 -0700, Michael Thomas wrote: > > You should check that the transition has happened by running ps with the > > "-Z" option to show the process context when you're running the > > application. > > It shows up as crossfire_exec_t because... crossfire_exec_t? Not crossfire_t? > > Note that most things running confined under targeted policy are started > > from initscripts and there is no transition from unconfined_t needed (or > > wanted). That's not the case here though. > > ...it is started from an init script. Normal (unconfined) users should > not be starting this by hand. Instead, normal users will run the client > application which connects to this server. In this case, it sounds like > I don't need the rule to transition from unconfined_t. Right; I must have missed the initscript in the files list. So yes, you are correct that you don't need (or even want) the transition from unconfined_t. > >>Some things that would be nice to clarify: > >> > >>Should selinux be added as a subpackage or automatically included in the > >>base package? > > > > > > I don't have a strong opinion either way on this. I've tended to stick > > to keeping everything together because I find it easier to manage that > > way. As long as the SELinux bits don't get in the way of people not > > using them, I don't think it's a problem. > > I think I would prefer to use a separate package (not integrated with > the base package), so that the policy can be turned on and off by simply > installing/uninstalling the -selinux package. Bear in mind that there should be a crossfire_disable_trans boolean that would turn off the policy (or rather the transition to crossfire_t) when set, without having to uninstall the policy. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- I have made this letter longer than usual, because i lack the time to make it short. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
